Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach

A hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million stolen payment cards on the dark web last March 28. A security firm investigating this sale reports that the victims were most likely from customers of high-end retailers Saks Fifth Avenue and Lord & Taylor. This was confirmed on April 1 through an announcement from Saks and their parent company, the Hudson’s Bay Company after they became aware of a “data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America.” This is the latest in a string of high-profile breaches from Fin7, whose previous victims include Trump Hotels, Whole Foods, and Chipotle.

The current batch of compromised records is named BIGBADABOOM-2. According to the security firm, majority of the stolen records came from compromised New York and New Jersey locations, and the period of collection may have started in May 2017. So far, only a small percentage of the records have been released for sale — a common tactic for large caches of compromised records. The group will likely sell the records in small batches to avoid flooding the market. Hudson’s Bay have reportedly taken steps to contain the breach and are offering free identity protection, credit and web monitoring services to anyone impacted.

Some news outlets are reporting that this is a point-of-sales (PoS) breach, stating that “the data appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.”

Past PoS incidents linked to data breaches

Other incidents involving PoS malware this year show how this old threat is still a clear danger for retailers, restaurants, hotels and other brick-and-mortar vendors. In January, Forever 21 disclosed how PoS malware was linked to its data breach, while Applebee’s also uncovered PoS malware on its systems in early March.

Many of the past PoS malware we’ve seen — AbaddonPOS, RawPOS, and MajikPOS — were used in tandem with other threats, such as backdoors and keyloggers. Using such multi-pronged attacks is more advantageous for attackers because it nets them different types of data to sell.

Because this threat has proven to be so effective in the past, businesses have to be ahead of the curve and install more stringent defenses to protect their customers’ data. Regulatory bodies are already enforcing new standards for enterprises to prevent data breaches such as these, and to ensure that their citizens’ personal information is protected. The EU’s General Data Protection Regulation (GDPR) will be implemented on May 25 2018, and has stiff fines for entities that do not have proper data security in place.

Solutions and mitigation tactics

Customers of the affected stores can take advantage of the free identity protection, as well as credit and web monitoring services that the company has offered.

For businesses who want to avoid incidents such as this, here are some countermeasures that can mitigate this threat:

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions